Merge pull request #4 from aboe76/ipset_support

add ipset support for firewalld
2016-09-05 15:43:09 +02:00 · 2016-09-05 15:43:09 +02:00 · aeeb6fd38a
commit aeeb6fd38a
parent 68bebd6fbb c5a01c837e
7 changed files with 152 additions and 8 deletions
--- a/2
+++ b/2
@ -1 +1 @@
-0.1.0
+0.2.0
--- a/firewalld/defaults.yaml
+++ b/firewalld/defaults.yaml
@ -2,5 +2,6 @@
 # vim: ft=yaml
 firewalld:
  package: firewalld
+  ipsetpackage: ipset
  service: firewalld
  config: /etc/firewalld.conf
--- a/firewalld/files/ipset.xml
+++ b/firewalld/files/ipset.xml
@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="utf-8"?>
+<ipset{%- if 'type' in ipset %} type="{{ ipset.type }}" {%- endif %}>
+{%- if 'short' in ipset %}
+  <short>{{ ipset.short }}</short>
+{%- endif %}
+{%- if 'description' in ipset %}
+  <description>{{ ipset.description }}</description>
+{%- endif %}
+{%- if 'options' in ipset %}
+{%- if 'maxelem' in ipset.options %}
+{%- for v in ipset.options.maxelem %}
+  <option name="maxelem" value="{{ v }}"/>
+    {%- endfor %}
+{%- endif %}
+{%- if 'timeout' in ipset.options %}
+{%- for v in ipset.options.timeout %}
+  <option name="timeout" value="{{ v }}"/>
+{%- endfor %}
+{%- endif %}
+{%- if 'hashsize' in ipset.options %}
+{%- for v in ipset.options.hashsize %}
+  <option name="hashsize" value="{{ v }}"/>
+{%- endfor %}
+{%- endif %}
+{%- endif %}
+{%- if 'entries' in ipset %}
+{%- for v in ipset.entries %}
+  <entry>{{ v }}</entry>
+{%- endfor %}
+{%- endif %}
+</ipset>
--- a/firewalld/files/zone.xml
+++ b/firewalld/files/zone.xml
@ -52,6 +52,9 @@
  {%- else %}
  <rule>
  {%- endif %}    
+  {%- if 'ipset' in rule %}
+    <source ipset="{{ rule.ipset.name }}"/>
+  {%- endif %}
  {%- if 'source' in rule %}
    <source address="{{ rule.source.address }}" {%- if 'invert' in rule.source %}invert="{{ rule.source.invert }}"{%- endif %}/>
  {%- endif %}    
--- a/firewalld/init.sls
+++ b/firewalld/init.sls
@ -8,6 +8,7 @@
 {% if salt['pillar.get']('firewalld:enabled') %}
 include:
  - firewalld.config
+  - firewalld.ipsets
  - firewalld.services
  - firewalld.zones

--- a/firewalld/ipsets.sls
+++ b/firewalld/ipsets.sls
@ -0,0 +1,48 @@
+# == State: firewalld.ipsets
+#
+# This state ensures that /etc/firewalld/ipsets/ exists.
+#
+{% from "firewalld/map.jinja" import firewalld with context %}
+
+{%- if salt['pillar.get']('firewalld:ipset') %}
+package_ipset:
+  pkg.installed:
+    - name: {{ firewalld.ipsetpackage }}
+
+directory_firewalld_ipsets:
+  file.directory:            # make sure this is a directory
+    - name: /etc/firewalld/ipsets
+    - user: root
+    - group: root
+    - mode: 750
+    - require:
+      - pkg: package_firewalld # make sure package is installed
+    - listen_in:
+      - module: service_firewalld # restart service
+
+# == Define: firewalld.ipsets
+#
+# This defines a ipset configuration, see firewalld.ipset (5) man page.
+#
+{% for k, v in salt['pillar.get']('firewalld:ipsets', {}).items() %}
+{% set z_name = v.name|default(k) %}
+
+/etc/firewalld/ipsets/{{ z_name }}.xml:
+  file.managed:
+    - name: /etc/firewalld/ipsets/{{ z_name }}.xml
+    - user: root
+    - group: root
+    - mode: 644
+    - source: salt://firewalld/files/ipset.xml
+    - template: jinja
+    - require:
+      - pkg: package_firewalld # make sure package is installed
+      - file: directory_firewalld_ipsets
+    - listen_in: 
+      - module: service_firewalld   # restart service
+    - context:
+        name: {{ z_name }}
+        ipset: {{ v }}
+
+{% endfor %}
+{%- endif %}
--- a/pillar.example.sls
+++ b/pillar.example.sls
@ -1,31 +1,91 @@
-# CentOS7 FirewallD firewall
+# FirewallD pillar examples:
 firewalld:
  enabled: True
+  ipset: True
  default_zone: public
+
  services:
    sshcustom:
      short: sshcustom
      description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.
      ports:
-        tcp: 
+        tcp:
          - 3232
          - 5252
-      modules: 
+      modules:
        - some_module_to_load
      destinations:
-        ipv4: 
+        ipv4:
          - 224.0.0.251
          - 224.0.0.252
-        ipv6: 
+        ipv6:
          - ff02::fb
          - ff02::fc
+
+    zabbixcustom:
+      short: Zabbixcustom
+      description: "zabbix custom rule"
+      ports:
+        tcp:
+          - "10051"
+    salt-minion:
+      short: salt-minion
+      description: "salt-minion"
+      ports:
+        tcp:
+          - "8000"
+
+  ipsets:
+    fail2ban-ssh:
+      short: fail2ban-ssh
+      description: fail2ban-ssh ipset
+      type: 'hash:ip'
+      options:
+        maxelem:
+          - 65536
+        timeout:
+          - 300
+        hashsize:
+          - 1024
+      entries:
+        - 10.0.0.1
+
+
  zones:
    public:
      short: Public
      description: "For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted."
      services:
        - http
+        - zabbixcustom
        - https
        - ssh
-        - dhcpv6-client
-
+        - salt-minion
+      rich_rules:
+        - family: ipv4
+          source:
+              address: 8.8.8.8/24
+          accept: true
+        - family: ipv4
+          ipset:
+            name: fail2ban-ssh
+          reject:
+            type: icmp-port-unreachable
+      ports:
+{% if grains['id'] == 'salt.example.com' %}
+        - comment: salt-master
+          port: 4505
+          protocol: tcp
+        - comment: salt-python
+          port: 4506
+          protocol: tcp
+{% endif %}
+        - comment: zabbix-agent
+          port: 10050
+          protocol: tcp
+        - comment: bacula-client
+          port: 9102
+          protocol: tcp
+        - comment: vsftpd
+          port: 21
+          protocol: tcp
 @ -1 +1 @@
 .1.0
 .2.0